Five things to demand from your cloud service supplier

Sam Jardine, partner and head of commercial and technology, Watson Burton LLP

Cloud services have become ubiquitous for small and large companies alike, with the benefits of low capital expenditure, incremental service agreements and reduced storage requirements all making it the obvious option for everything from accountancy services to email.

We all remember the days when IT upgrades required significant financial investment up front. Psychologically this forced end users to think long and hard about the contracts they were signing. On the flip side, the simplicity of the cloud often means that customers look a little less closely at the Ts & Cs. They are, however, still putting mission critical applications in the hands of a third party and as such contracts should be treated with no less caution than any other agreement negotiated within the business. Here are five things for customers to consider before signing on the dotted line:

1) How protected is my data?

Security is paramount and any cloud provider worth their salt should be bending over backwards to reassure you that your data is safe. Make sure that your provider can produce a comprehensive disaster recovery plan. What happens if their system goes down? What is their remedy procedure? Do they have suitable mirror sites in various locations to ensure that data remains accessible if the primary site fails? Is there sufficient distance between sites?

Similarly ask questions about the firewalls and anti-virus solutions that your supplier has in place – how often are these tested and benchmarked against newer solutions available in the market? How often are their systems penetration tested?

2) Does the supplier comply with UK data protection legislation?

If you are a data controller in respect of personal data, and you store such personal data in the cloud, you need to ensure you are compliant with the Data Protection Act 1998. You also need to ensure that the country where your data is hosted offers a n adequate level of protection which satisfies the Eighth Data Protection Principle under that Act. There are ways and means of achieving such compliance, but it is unlikely that your cloud provider (at least in a commodity deal) will give you assurances over the security surrounding that data. Which means you may be in breach of your obligations under the Act.

3) How many other customers’ data does the supplier have on the same servers?

You have every right to ask this question. It’s important not only from a credibility perspective but also because you can need to be absolutely sure that their other customers cannot access your data. Data segregation techniques are far more sophisticated than they were in the early days of cloud; nevertheless, consider whether having a ringfenced server would grant you more comfort.

4) What payment terms am I signing up to?

More players in the market mean that prices are being squeezed in the cloud space, and there are deals to be done. Consider how you want the payment schedule to be structured. Will you be locked in or does the supplier offer a Pay As You Go option? You should also try to negotiate discounts if you are bulk buying across various applications.

5) How do I get out?

What happens when the current deal comes to an end or if you want to change providers? This is a key question to ask right from the outset. It is imperative that the contract states that you receive all of your data back, and in a native format. Vendor lock-in has been a big issue for customers trying to extract themselves from cloud contracts. Working with a cloud provider that offers an open source or vendor independent programming language for example, could make it easier for you to negotiate an exit – and would actually help to instil trust in the relationship from the beginning.

Sam Jardine, Partner and Head of Commercial and Technology, Watson Burton LLP

Box has reported healthy growth over the last quarter, increasing revenues 37% to $90.2 million, which the company has attributed to a more diversified portfolio. Public sector organizations and the European market are now in the crosshairs for future growth.

On-going efforts to provide clarity and guidance on transatlantic data transmission are unlikely to be seen soon as the European Data Protection Supervisor (EDPS) has outlined concerns over the robustness of the Safe Harbour successor, EU-US Privacy Shield.

The road to data protection has been a long and confusing one. Despite being one of the biggest concerns of consumers and corporates throughout the world, progress has hardly been moving at breakneck speed, but as of today, companies now have exactly two years to ensure they are compliant with the EU’s General Data Protection Regulation.